New "MITRE ATT&CK-like" framework outlines software supply chain attack TTPs

A new open framework seeks to outline a comprehensive and actionable way for businesses and security teams to understand attacker behaviors and techniques specifically impacting the software supply chain. The Open Software Supply Chain Attack Reference initiative, led by OX Security, evaluates software supply chain security threats, covering a wide range of attack vectors including vulnerabilities in third-party libraries and components, supply chain attacks on build and deployment systems, and compromised or malicious software updates. Cybersecurity professionals among the matrix's founding consortium include representatives from GitLab as well as former leaders from Microsoft, Google Cloud, Check Point Technologies, and OWASP. OSC&R addresses need for MITRE-like security framework for software supply chain. The OSC&R framework has been created to address the need for a MITRE ATT&CK-like framework that allows experts to better understand and measure software supply chain risk, Neatsun Ziv, founder of OX Security, tells CSO. "In other fields, let's say endpoint and ransomware, there are great frameworks that give a full view of the threat landscape," he says. "When it comes to the software supply chain, there is no understanding whatsoever in the industry. What we're trying to do is take all the information that is out there and build it into a framework that every practitioner will be able to use to assess what they're currently doing in terms of the software supply chain, understand what their exposures are, and try to understand how to address them in a rapid way." Hiroki Suezawa, senior security engineer at GitLab, stated that the framework gives the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions to help security teams build their security strategy with confidence. OSC&R framework focuses on software supply chain attack methods. "The OSC&R framework focuses on attack kill chains and the processes adversaries employ to carryout software supply chain attacks, Ziv says. The OSC&R framework follows the steps attackers take and gives defenders visibility they currently do not have to help them secure themselves and understand where they are vulnerable and should focus their efforts," he adds. OSC&R is now ready to be used by security teams to evaluate existing defenses and define which threats need to be prioritized, how existing coverage addresses those threats, as well as to help track behaviors of attacker groups. It will regularly update as new tactics and techniques emerge and evolve and will assist red-teaming activities by helping set the scope required for a pen test or a red team exercise, serving as a scorecard both during and after the test. Around 20 companies are contributing to the framework as part of a working group, with the aim to open it out for wider industry contribution in the next few months, Yeal Citro, OX Security consultant, tells CSO. "Everyone will be able to share their knowledge and expertise and experience - that is really where the project is headed," she adds. Software supply chain security still high on the agenda. Software supply chain security is high on the agenda for businesses and the security industry as software supply chain-related compromises and risks continue to impact organizations across the globe. The publication emphasizes the role developers play in creating secure software and provides guidance in line with industry best practices and principles which software developers are strongly encouraged to reference. In July, the Center for Internet Security published similar best practice guidance for securing each phase of the software supply chain. In May, Rezilion launched Dynamic SBOM, an application designed to plug into an organization's software environment to examine how multiple components are being executed in runtime, and reveal bugs and vulnerabilities.

This Cyber News was published on www.csoonline.com. Publication date: Wed, 01 Feb 2023 19:06:03 +0000


Cyber News related to New "MITRE ATT&CK-like" framework outlines software supply chain attack TTPs

New "MITRE ATT&CK-like" framework outlines software supply chain attack TTPs - A new open framework seeks to outline a comprehensive and actionable way for businesses and security teams to understand attacker behaviors and techniques specifically impacting the software supply chain. The Open Software Supply Chain Attack ...
1 year ago Csoonline.com
Software Supply Chain Security Checklist - In the ever-evolving landscape of digital innovation, the integrity of software supply chains has become a pivotal cornerstone for organizational security. Software supply chain security is not just about protecting code - it's about safeguarding the ...
8 months ago Feeds.dzone.com
CISA Announces Renewal of the Information and Communications Technology Supply Chain Risk Management Task Force - The Task Force, chaired by CISA's National Risk Management Center and the Information Technology and Communications Sector Coordinating Councils, is a public-private partnership composed of a diverse range of representatives from public and private ...
8 months ago Cisa.gov
New Survey Finds a Paradox of Confidence in Software Supply Chain Security - Get results of and analysis on ESG's new survey on supply chain security. New research reveals that, despite increasing attacks and incidents against software supply chains, a surprising number of firms believe their defense is sufficient. This gap ...
4 months ago Securityboulevard.com
SCS 9001 2.0 reveals enhanced controls for global supply chains - In this Help Net Security interview, Mike Regan, VP of Business Performance at TIA, discusses SCS 9001 Release 2.0, a certifiable standard crafted to assist organizations in operationalizing the NIST and other government guidelines and frameworks. ...
10 months ago Helpnetsecurity.com
UK, ROK sound alarm over North Korean supply chain attacks The Register - The national cybersecurity organizations of the UK and the Republic of Korea have issued a joint advisory warning of an increased volume and sophistication of North Korean software supply chain attacks. "In an increasingly digital and interconnected ...
10 months ago Theregister.com
How AI could bolster software supply chain security - SAN FRANCISCO - While supply chain risks remain prevalent across enterprises of all sizes, Synopsys' Tim Mackey said AI tools will enable developers more than attackers - at least for now. Supply chain security was a significant topic that speakers ...
4 months ago Techtarget.com
Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
6 months ago Itsecurityguru.org
Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
6 months ago Itsecurityguru.org
Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
6 months ago Itsecurityguru.org
Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
6 months ago Itsecurityguru.org
Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
6 months ago Itsecurityguru.org
Synopsys Introduces Latest Solution for Comprehensive Security Across Software Supply Chains - Synopsys has introduced Black Duck® Supply Chain Edition, a novel software composition analysis solution. This offering aids organisations in mitigating upstream risks within their software supply chains. Black Duck® Supply Chain Edition ...
6 months ago Itsecurityguru.org
Securing the Supply Chain - Before a supply chain can be improved, it must be understood. Rather than attacking one target, it is more effective to manipulate the supply chain to gain access to multiple targets. The 2013 Target breach was an example of a supply chain attack, as ...
1 year ago Securityweek.com
MITRE Debuts ICS Threat Threat Modeling for Embedded Systems - MITRE, in collaboration with researchers from three other organizations, this week released a draft of a new threat-modeling framework for makers of embedded devices used in critical infrastructure environments. The goal with the new EMB3D Threat ...
9 months ago Darkreading.com
Developer Accounts Compromised Due to Credential Reuse in WordPress.org Supply Chain Attack - On June 24th, 2024, the Wordfence Threat Intelligence Team became aware of a WordPress plugin, Social Warfare, that was infected with malware through the WordPress repository. We immediately notified the WordPress Plugin's Team and they removed the ...
3 months ago Wordfence.com
Is an open-source AI vulnerability next? - Applications developed within open-source communities often face more significant security challenges because they are free and widely available, supported by volunteers, and because of other considerations. Even if a major open-source AI project ...
4 months ago Helpnetsecurity.com
Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator - The recent large scale supply chain attack conducted via multiple CDNs, namely Polyfill.io, BootCDN, Bootcss, and Staticfile that affected anywhere from 100,000 to tens of millions of websites has been traced to a common operator, according to ...
3 months ago Bleepingcomputer.com
Assessing and mitigating cybersecurity risks lurking in your supply chain - Most involve the supply of software and digital services, or at least are reliant in some way on online interactions. SMBs in particular may not proactively be looking, or have the resources, to manage security in their supply chains. Blindly ...
8 months ago Welivesecurity.com
New Supply Chain Attack Leveraging Python Package Index Targeting Wacatac Trojan - A new supply chain attack has recently been detected targeting Python Package Index (PyPI) users with the Wacatac Trojan. This attack is seen as the latest in a series of advanced persistent threats (APT) targeting the escalating use of Python in ...
1 year ago Securityweek.com
The Role of XBOMs in Supporting Cybersecurity - Everyone in an organization plays an important role in ensuring that their products and services are delivered safely to their customers. Whether you're producing software or hardware, part of the manufacturing process, or anywhere in the software ...
9 months ago Securityboulevard.com
Checkmarx Report Surfaces Software Supply Chain Compromises - Checkmarx published an inaugural monthly report this week that finds 56% of the attacks against software supply chains that it analyzed resulted in the theft of credentials and confidential data. More than a quarter of attacks employed some form of ...
8 months ago Securityboulevard.com
Zero Trust Security Framework: Implementing Trust in Business - The Zero Trust security framework is an effective approach to enhancing security by challenging traditional notions of trust. Zero Trust Security represents a significant shift in the cybersecurity approach, challenging the conventional concept of ...
8 months ago Securityzap.com
Attackers Finding Novel Ways to Abuse GitHub: ReversingLabs - Threat actors are finding new ways to take advantage of GitHub in hopes of tricking developers into putting malicious code into their software and sending to users downstream, according to researchers with ReversingLabs. Code repositories like GitHub ...
9 months ago Securityboulevard.com
Adapting to the Post-SolarWinds Era: Supply Chain Security in 2024 - COMMENTARY. In December 2020, the SolarWinds attack sent shockwaves around the world. Attackers gained unauthorized access to SolarWinds' software development environment, injected malicious code into Orion platform updates, and created a backdoor ...
9 months ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)